Walling off Asian E-mail to Prevent Spam

SomeoneYouDontKnow writes: "Seems there's been lots of spam news lately. This piece from Wired describes how frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world. As anyone who's ever reported spam to Asian ISPs can attest, getting a response of any kind is almost impossible, so some ISPs are simply giving up on receiving any mail from them. Setting up barriers like this is regrettable, but when the originating ISPs refuse to take responsibility for the actions of their users or close their open mail servers, there would seem to be no other choice. Has anyone ever had any kind of constructive conversation with one of these ISPs to see why they are unable or unwilling to do anything?"

Re:Setback for the net?

[doubtless]

Well, it's a shame when that happens. I am from Asia, and when I was there I didn't even have the confidence to use local ISP email account. Anybody can still use yahoo, hotmail or any other free services to contact their western friends.

I guess this affect Asian businesses more than the local folks. When businesses start to complain to their ISP why they can't send any mails to their western counterparts, maybe the ISP will start to listen.

Some ISPs there have very under qualified admin (the good ones moved here to the US ;-), heck, some of them can't even understand english very well. ISPs there have a habit of hiring a contract person to set up everything and leave it.

Rather than 1/4 of the world

[Moderation abuser]

Why not use a domain hitlist? Get more than a couple of spams from a domain, bounce everything from the domain[1]. It's less arbitrary than closing off everything from Asia on the basis of a few spammer ISPs.

[1] Bye bye Yahoo, AOL, Hotmail for a start.

SHOCK! HORROR! journalism

[Rogerborg]

• • frustrated sysadmins in the West are responding to a torrent of Asian spam by simply refusing all e-mail from that part of the world [says Slashdot]
  Anti-spam activists confirm that a growing number of beleaguered systems administrators are now blocking all e-mail originating from Asia from their systems [says the article]

Bollocks, says anyone reading it with a critical eye. There are no references or sources for this sweeping "all Asian email" statement. The single reference is to Spamhaus [spamhaus.org] which implements selective listing of domains that persistently generate or carry spam and decline to respond to spam reports. Most of their listed ISP's are currently US based. There is specific mention of two Chinese ISP's, and none from any other Asian nation.

To make a story out of this, you have to cite metrics. The fact that Spamhaus are currently blacklisting China Telecomm no more proves that "the west" is blocking "the east" than a story about anyone temporarily blacklisting AOL (again) proves that there is some mass move to block "the west".

Without giving metrics, you're just providing anecdotes. Persuasive anecdotes, sure, that probably appeal to our personal experiences, but those are the most dangerous kind, because they stop you looking for the real story and asking the real questions.

The real question here isn't "Why do Spamhaus currently blacklist China Telecomm?" but "Why don't Spamhaus currently blacklist Roadrunner?" or any of another half dozen ignorant ISP's that deny that they are injecting spam even in the face of unequivocable header evidence. Perhaps we in the "west" (sweeping-generalisations-r-us) could go about cleaning up our own house before we go gunning for those coming late to the party.

Re:No response to complaints after receiving spam

[bero-rh]

Simply report them to the police - identity theft and fraud are considered real crimes even by clueless law enforcement offices that usually don't do anything about spammers. (Yes, I've done it before).

Re:Constructive dialogs

[Anonymous Coward]

We're getting close to something similar here where I work (a carrier class ISP) because we are getting so many complaints from our customers about spam (and worse) and getting no response worth speaking of from most Asian ISPs. The problem is that many of the responsible "Mom and Pop" ISPs that *do* respond to abuse reports in a timely and effective manner are themselves customers of the major ISPs that simply refuse to respond, so the sledgehammer solutions will also impact the innocents, us usual. Some of the extemists here are actually talking about dumping *all* traffic from particulary recalcitrant ISPs to null on our routers.

Basically, what they have in mind is at the top level of escalation we threaten the ISP with "fix your problem or we will discard *any* packets going to and from your IP space if it touches our edge routers." For those not clued up on this, this means that the Asian ISP (and all of it's customers) will effectively cease to exist for us, our customers, and anyone totally unconnected with us who just happens to try and route across our IP space. We've actually done this with one major Asian ISP who told our MD in quite lucid, albeit very offensive, English that they would not deal with one of their customers who was being especially unsociable and to mind our own business. His response was basically "The Internet is very much about cooperation, so if you won't cooperate with us, why should we cooperate with you? Goodbye!"

Sadly, APNIC seems just as unwilling to help as some of the ISPs they issue space to - a far cry from RIPE in my experience, who quite frequently contact us regarding abuse issues. It's definately getting near the point that an "Internet Death Sentence" is going to become a topic of serious discussion IMHO. It's not the spammers that are the real problem here; it's the Asian SysAdmins that are giving them a haven and providing them with the open relays, either deliberately or through ignorance, that need to be convinced to wise-up and stop burying their collective heads in the sand.

Re:I can't disagree more

[Rogerborg]

• On the other end, if many of those domains are in the Orbz [orbz.org] or other blacklists, maybe just using those would be better

Do the reading. Despite the shrieking tone of the article, what we are talking about here is Spamhaus [spamhaus.org] blacklisting China Telecom, not "all Asian ISP's". That's the entire story. And Spamhaus themselves suggest that their list should be used in conjunction with an open relay list.

Re:Over reacting

[Zapman]

Spam, while annoying, is not the end of the world.

Maybe for you. But read the article. There are mail admins who receive more than a hundred spam requests per second from chinese ip addresses. That adds up to REAL money, really quickly. Adding the addresses to this database still costs bandwidth, since you have to receive all the headers before you can run your spam check.

Global blocking of the connecting IP range means you can do it from the first SYN packet.

Re:Over reacting

[RedHat Rocky]

You're neglecting the cost in bandwidth to transmit all that spam. Multiply your situation by a couple million.

Remember that the next time your connection seems a little slow.

Good spam blockers don't just filter the email, it's already wasted bandwidth and resources at that point. Good spam blockers such as rblsmtpd from the qmail package drop the connection as soon as a black listed IP connects, with an error message for those sending legitimate mail.

For example, a black listed IP hitting my mail server sees:

"553 <see http://www.vh.org/rbl.html> Email not accepted from IP address:61.99.120.39"

SPAMMERS, who typically use FRAUDULENT Reply-to headers, will never see this error, while legitiment email senders will and will be able to plea for the email to be delivered.

Maybe they would respond if they could read it?

[xiaix]

Translate [worldlingo.com]your messsage into Chinese, Korean whatever before sending it. It probaby wont help, but I think there is a slightly better chance of a reply. (I tried pasting results here but it wont allow it. Oh well.)

Re:Sadly, this is the only way to go

[macdaddy]

A good example of when warning or trying to educate an ISP doesn't work is Broadwing.net. Alan Ralsky, one of the fathers of spam, uses them all the damned time. They provide connectivity for spamming operations that abuse open relay, host spamertised sites, and much more. They have been warned by everyone and their dogs. I used to LART them all the time before I finally gave up. I just blacklist their network. At last count that was 3 /14s, a /24, and a /28. They can rot in my blacklist of hell for all I care.

Re:Culture differences, etc.

[Rogerborg]

• Cultural issues also contribute to the problem. Many spammers in Asia say they do not understand why spam is a problem. "It's a sign of respect that someone sends you an electric business card. It means he wants you as a customer," said Zhao Peng, owner of a computer store in Hong Kong.

Cultural homogeny is one of the most fascinating aspects of the internet. Sure, in much of Asia, it's traditionally a sign of respect to give an individual a hard copy of your business card. But that in itself is just the most recent evolution of a long tradition of formalised introductions and determining of relative position, and there's no reason to believe that spam will continue to be tolerated by users there (assuming this claim is true) once the novelty value wears off.

I'll go out on a limb to suggest that while UCE within Asia is perhaps currently viewed as synonymous with a business card, given time, when it is viewed in its own light (rather than as just being considered analogous to a traditional activity), it will be viewed with the same contempt and hatred that the rest of the world already has for it.

I'll draw a parallel with email in general in the US and Europe. For those coming late to the party, many early (80's and early 90's, and by the way, I was a Prestel user in the 80's, using my ZX Spectrum and breeze block modem) home and business users of email initially tended to treat it as a letter, starting with "Dear Bob", and taking care with spelling and punctuation. (Don't confuse this with academic users or l33t h4x0rz coming to the medium with a fair idea of what it was and why they wanted it). It took a while to evolve in popular consciousness into more of a informal and disposable post-it note or phone call analog, although really it's in a category all of its own.

So while it's easy for us to scoff in disbelief at the naievete of Asian users now, let's not forget those Dear Bob days. Global consensus will take a while to arrive. And lest we get too high and mighty, it might very well involve a shift in our perceptions as well.

You see, the thing that really bugs me about spam is that it's so moronic and illiterate. "!!!MAKE $$$ FAST!!!" it shrieks, and "you have, nothign to loose!". Call me strange, but if I were (ever, in theory) to receive a small, literate and polite spam that didn't lie about remove options or oversell itself, it just advertised a product, then I'd be far less inclined to spamcop it. The idea of a "business card" type spam is far less loathesome to me than yet another two hundred line "THIS IS NOT A PIRIMID SKAM!!!!!" monstrosity.

Re:Watch out with that scheme

[mjh]

I think you might be interested in using self destructing email addresses. I've just started using TMDA [sourceforge.net]. You can set it up so that all outgoing email to someone that you don't know will generate a "dated" address. This address will be valid (by default) for 5 days. After 5 days, TMDA will automatically reject any email directed to it.

Other things you can do with TMDA include:

• Requring anyone unknown to you to send a confirmation
• Automatically adding all valid confirmations to your "known" list
• Generating sender email addresses, that will allow a specific sender (such as a mailing list) to send you email. No one other than that specific sender will be able to use a sender address
• Generating keyword email addresses. This is similar to what you're talking about already. Where you generate unique addresses, each of which will be allowed to get to your mailbox. But will also allow you to track who is giving out your email address.

TMDA takes a little bit of work to be able to understand what's going on, but once you get it set up, it's pretty effective.

Good luck.

Re:Ban Asia???

[jd142]

Actually I get attacked a lot from wandaoo.fr. So banning France here would be an option. I get attacked more from there than from Asia.

Re:I Regularly Communicate With Chinese

[agrounds]

Regarding the English. While I was stationed in Korea in the Army, I learned that as a requirement to graduate from the equivalent of Elementary school, students must be able to read and write 'book English.' To progress past Middle School, students must have a grasp of conversational or colloquial English. The high-school requires the addition of yet another language, which the majority of students I met wound up taking Japanese. While a great many Koreans feigned not understanding English to avoid 'Evil American Military GIs', the bottomline was that the vast majority of urban citizens speak, read, and write English fluently.

Re:Why are open relays used at all?

[13013dobbs]

Well, in my job, I have had the pleasure of talking to many a customer who had an open relay. Here are some VERY common reasons:

• "What mail server?" Someone's DNS has a mail server installed on it. The customer did a default install of his OS and it installs a mail server by default. Some customers are not even aware that there is a mail server installed on the box.
  
• "That old box?" "Sendmail 8.6-SMI runs just fine, why would I change it?" MTAs came 'open' by default untill about 3 years ago. You would be supprised at how many mail boxes just run at the back of some office for years on end with no intervention.
  
• "But, it needs to be open" Customers have users who travel or send mail from different ISPs. Instead of using POP-before-SMTP or AuthenticatedSMTP they just open the mail server up to everyone. It is just easier that way.
  

I hope this has answered your questions.

Re:Sadly, this is the only way to go

[coyote-san]

If you are a (non-military) pilot, you are *required* to have a minimal working knowledge of English. All radio communications are required to use English, by international treaty. In many other fields, English is used by convention, not explicit treaty. But it's still the most common shared language.

This isn't cultural imperialism, it's a recognition of the fact that we need a shared language - *any* shared language - and English is a good choice for it. It uses a simple alphabet, has simple conjugation rules, and a well-known "international English" subset that's sufficient for most routine interactions.

It's also important to remember the flip side of this - native English speakers need to be able to understand the heavily accented and mangled English of non-native speakers. In some ways this is harder than learning Int'l English - the non-native speakers only need to learn one language, we have to learn dozens of varients.

Bottom line: any ISP larger than a 2-person shop should have employees able to understand the gist of these complaints and to respond. Their English may be broken, but that's sufficient for communications to occur.

Some first hand expirence.

[Thr34d]

I've had the fortune (misfortune) to deal with some of this first hand.

About 1.5 years ago I was working for iPlanet as a backline support person. The summer of 2000 we had a rash of Asian telecos running our e-mail server and crashing and burning.

So I got sent to Asia to try and figure out what was going on at our three largest telcos there, Unitel [unitel.co.kr] and Hanaro Telecom in Korea and Jiangsu Telecom (can't find their homepage at the moment) in China.

What I found in both cases was frightening. Pro-Serv had done a good job of implementing a mail system that would handle a normal user load just fine. But, in both cases the load was 5 times what was planned for. So the servers we're dying under the load.

After very little investigation it found out that several of the subscribers were spamming via their ISP. When I first pointed this out to the powers that be there I got a blank reply along the lines fo "So?".

As management and I delved into it the opinion that the ISP was forming was that these are customers, we can't just cut them off, they will leave and we will lose money.

I tried the normal counters like, "The abusers are bringing down the service for your normal subscribers. The normal subscribers are getting mad (some even started anti Unitel sites) and they're going to leave in droves if this keeps up. And then all you're going to be left with is a few subscribers who are costing you more in the long run. Bandwidth costs associated with the spamming, hardware upkeep for a few users, etc.

The sysadmins and techs got all this but management was so scared of losing a customer and that customers money that they would not dare do a thing about it.

I ended up leaving both sites having accomplished stabilizing the systems as much as I could but not solving the actual problem, getting the ISP to come up with and enforce some terms of service.

So to me what it comes down to is capitalism run amok, espically in Korea. Management is so blinded by "making it big" they fail to see the real disaster looming on the horizon.

Don't blame uncaring techs, blame the top level for driving this thing into the ground.

At least I can say I had a great time visiting those countries and taking in the other parts of their real culture. But, July in Seoul is miserable.

Re:I wouldn't like that

[Anonymous Coward]

If I initiate an email conversation with a human being, I prefer to give an address that will keep working. So I use persistent addresses that I cycle about once a year. I'm careful not to use them on mailing lists or netnews. They still get a little spam, but it's not that bad.

With TMDA you have a number of options.

1. The easiest would be to put all of the known email addresses that you know for that person into your whitelist. Then you simply communicate with them like TMDA isn't there.
2. You could also set up your email so that you automatically generated a new "dated" address for each response that you send. You can also change the default timeout for each address so that it's longer than 5days. You could change it to be 1year if you like.
3. The other thing that you could do is to assign that particular user a "sender" address. Unfortunately that address will only work if they send their email from the same address all the time.
4. You could assign this user a "keyword" address that they would be able to use from anywhere. This also means that anyone can use that address, which means that if it got onto a spam list, you'd get mail into your mailbox. On the other hand, if you chose unique enough keywords, you'd be able to track who gave out your email address to a spam list, and then revoke that email address.

So there's a fair amount that you can do, but....

Filtering on sender address is rude too.

.... you might be happier with spamassassin [spamassassin.org] which uses a number of tests to grade an email for it's spaminess. If that program thinks that the email is a spam, then you simply decide what it is that you want to do with it (e.g. delete it, store it in a different mbox, etc).

Of course this is susceptible to error, either false negatives which cause spam to end up in your mailbox, or false positives which cause legit email to end up in your spambox or deleted. I use spamassassin. I did not find any false positives, but about 2% false negatives. So I implemented TMDA to handle all email that falls through spamassassin. So far, it's kept my mailbox pretty spamfree.

Of course, your right that all of this requires that legitimate people who want to talk to me may require an additional step. What I've found is that most people who do this are happy to get confirmation back that I exist and that there email really is getting to me. YMMV.

Good luck.

fight spam

[4444444]

we can all fight spammers use spamcop.net

Re:education is the solution

[4444444]

vigilanty justice is the only way to fight spam
goto http://www.goto.com and do a search for bulk email then click the links to cost spammers big bucks